How does a logic bomb work?

In December 2006, an ex-employee of the financial company UBS PaineWebber was sentenced to eight years in prison and more than $3 million in restitution for planting a logic bomb in UBS's computer network in 2002. When the bomb went off, 1,000 computers lost critical files as the code started deleting data. The reportedly disgruntled employee, Roger Duronio, had counted on this causing the company's stock price to drop. He invested $23,000 in put option contracts, meaning he would've earned money from a hit to UBS stock. The stock price didn't budge after the attack. Duronio's logic bomb only earned him jail time and more money in payback than he could ever afford.

A logic bomb, also called slag code because all that's left after it detonates is computer slag, is not the same thing as a virus, although it often behaves in a similar manner. It is a piece of computer code that executes a malicious task, such as clearing a hard drive or deleting specific files, when it is triggered by a specific event. It's secretly inserted into the code of a computer's existing software, where it lies dormant until that event occurs. This event might be a positive trigger, such as a specific date and time or the removal of an employee's name from the salary database; or it might be a negative trigger, such as a particular employee failing to input a command by a certain time -- meaning he or she is probably not at the company anymore. Negative triggers are considered to be more dangerous than positive ones, since the risk of accidentally triggering the bomb -- say, if the employee is suddenly hospitalized with appendicitis -- increases dramatically. And when the bomb goes off, the damage is done -- files are deleted, secret information is sent to the wrong people, the network is crippled for days ...

Related Articles

The payload of a logic bomb is usually pretty devastating to the company under attack. It's often a tool used by angry employees -- in the IT world, it has a reputation of being associated with "disgruntled employee syndrome." And a disgruntled employee probably wouldn't get too much satisfaction from making a smiley face show up on every networked computer at 3:14 p.m. on a specific Tuesday. A logic bomb doesn't have much use outside of targeting a specific computer or network, and IT employees are usually the only ones with the access and know-how to implement them. Logic bombs aren't usually programmed to spread to unknown recipients, although there are some virus types that are considered logic bombs because they have a time-and-date trigger. And some viruses have a logic bomb embedded in them that carries out a payload in addition to the virus's replicating function. For the most part, though, a logic bomb stays put within the network in which it was inserted. This makes it much easier to create than a virus. All it needs to do is execute a task; it doesn't need to reproduce, which is a more complicated function.

To avoid missing the insertion of a logic bomb into a network, most IT experts recommend constant monitoring, using virus software and other scanning programs intended to pick up on new objects in a computer's data, not only of overall networks but also of each individual computer on a network.

The type of action carried out in a logic bomb does have a non-destructive use: It makes restricted, free software trials possible. After a certain time period, a piece of code embedded in the software's code causes the free software to disappear or become crippled so the user needs to pay to continue to use it. But since this is a non-malicious, user-transparent use of the code, it's not typically referred to as a logic bomb.

For more information on logic bombs and other malware, check out the next page.